DISA/NSA move to address insider threats to enterprise networks

By Defense Systems Staff

May 15, 2013

Insider threats will become more acute as military organizations transition to wide-scale enterprise architecture, hastening the need to block and uncover them quickly. As such, the Defense Information Systems Agency (DISA) has issued a solicitation for enterprise services attack analysis capabilities to address such threats.

DISA and the National Security Agency want to develop an information assurance (IA) audit management system that has the capability of enterprise service for logging, collecting data, and analysis of data for enterprise services (e.g., DoD enterprise email, enterprise SharePoint, enterprise cross domain) IA devices and systems. It will also have the capability to detect malicious threats from insiders.

“The technical challenge is to develop the data management architecture and manipulation tools including the use of Big Data cloud storage and analysis technologies that will enable automated identification of critically anomalous events that indicate both internal and external malicious activity,” states the solicitation. “The objective of the IA audit management system is to provide the capability to defend against insider threat as well as external threats to the DoD, thus vastly improving DoD’s auditing processes and defense-in-depth strategy.”

The solicitation states also that the system will increase the security of continuously monitored systems, availability of mission information, and reduction in the time and resources required to perform repetitive and time-intensive manual reviews of audit logs that are often fruitless.

The objective of the solicitation is to develop and support the implementation of analytical methods to support DoD computer network defense (CND) analytics performed at the operational level (CYBERCOM, NSA, combatant commanders, services, and other agencies).

Work performed under this contract will support the enterprise attack analysis effort that is focused on DoD enterprise service logs including enterprise service gateway logs. The contractor will also provide implementation/development support for log scripting to define such vulnerabilities as malware and attack vectoring, create analytical methods to counter the threat of malware and network vulnerabilities using web/firewall/other hardware log analysis, and provide training on log analysis by using scripting techniques to the DoD CND community. According to the solicitation, this is not exclusively a software development effort.

“The purpose of this effort is not primarily to develop deployable government-off-the-shelf software packages to the CND community, but to develop/enhance scripts (similar to macros) that will reside on government servers at centralized locations that will pull from existing government databases and various log files, to perform analysis of architecture to determine threats and proposed data collection and aggregation, and work with CND analysts to improve detection of attacks against the DoD Global Information Grid,” states the solicitation.